Although PHP is a typeless language it's possible to cast variables to
ints or floats. If your form is sending integers cast them to integers.
This should not, however, be the only line of defense. The form should
validate it's own input via javascript. e.g.,
(if (form.field.value <= 0 || form.field.value >= arbitrary_limit)
return false;)
If you're using strings you should also decode them from embedded url
encoded data with urldecode() e.g., str = urldecode(str). This will
convert embedded hexcoded characters.
I would suggest, though, using data filtering on the form using
javascript as your first line of defense. If you're accepting a string,
for example, only allow valid characters to be placed in the form field.
(I don't know the event handler syntax off hand but I know it can be done)
Good luck,
Nic
jeffrey rivero wrote:
what if a must be an integer and not a string ?
Kellox wrote:
well, that does only work if the variable is not included between two
single quotes.
consider
$sSql .= " where a = ". '$var';
in your code snippet. if you would inject or 1=1 in this case, the
string would be
where a = 'or 1=1', which actually is a string but not a sql command.
jeffrey rivero wrote:
Hello
Good Questions
ok for the
1.Single and double-quotes will be escaped by the function call
mysql_escape_string().
yep but what i am passing does not have " or ' in them think more
like or 1 = 1 and assume that your var is a number
so the injections would look like
$sSql = "select a,b,c ";
$sSql .= "from Table_1";
$sSql .= " where a = ".$var;
now if $var was lets say "1 or 1 = 1"
your resulting injection string would be
select a,b,c from Table_1 where a = 1 or 1 = 1
which might now be what you want
2. union injection ??
3. not sure will a post command still do a url encode ?? anyone ?
Kellox wrote:
Hi
Thx for your information so far.
Jeffrey Rivero wrote:
> how about something like
> " or 1 = 1"
> ??
Single and double-quotes will be escaped by the function call
mysql_escape_string().
jeff@downtowndevelopmentplan.com wrote:
> Don't forget that the best way to sanitize incoming data is to
only allow
> known-good input. Attempting to filter against a list of bad
characters has
> historically proven itself futile. Rewrite your function to
only allow the
> characters that your application expects.
>
> -Jeff
Actually I always use your recommended whitelist approach. but
since this filter function is part of a review I'm doing at the
moment, I was asking the question about a possible SQL injection
attack.
Pete Pinter wrote:
> Won't hex encoded strings get through? You might want to check
out this
> link:
>
> http://www.securityfocus.com/infocus/1768
>
> Cheers,
> /p2
As I can see hexencoded strings will also be filtered by the
function mysql_escape_string(). For example %27 will be converted
into the ASCII-character ' and then it will be escaped by \
resulting it into \'. So hexencoded strings can't bypass this
filter, can they?
Greetings
Koen Bossaert wrote:
You probably also don't want * and %.
You can also make use of prepared statements or stored procedures
against SQL Injection.
Regards,
Koen
On 2/7/07, Kellox <kellox@mymail.ch> wrote:
hi everyone!
i was just wondering if this filter function written in php is
safe against
sql injections:
function filter($string) {
$replace = "";
$search = array(">", "<", "|", ";");
$result = mysql_escape_string( str_replace($search, $replace,
$string));
return $result;
}
or could anyone imagine an sql injection attack which bypasses
this filter
function?
___________________________________________________________________________
